A new Dridex malware campaign has been targeting vulnerable .com domains around the world. Security analysts believe the campaign was boosted by the Necurs botnet.
The infamous Dridex malware is back with a vengeance and has been targeting multiple countries over the last few days, including Australia, France, and the UK. Dridex has been around for a few years now and has mostly been going after banks, as was the case with the most recent attacks which began on January 17. According to Forcepoint Security Labs, the latest Dridex campaign is injecting malware into vulnerable FTP sites as opposed to HTTP like we’ve seen in the past. While .au, .fr, and .uk domains were among the most targeted types of domains, around half of the attacks were aimed at .com top level domains.
Forcepoint’s analysis indicates that the group behind the attacks seem to have a large supply of compromised accounts at their disposal and are not worried about exposing FTP credentials to even more malicious actors. Alternatively, that could just be part of their plan. If multiple groups attack the same website, it will be harder for security researchers to track all those involved and find the people running Dridex.
According to the researchers, this most recent Dridex campaign is likely to have been spread using Necurs even though the attack method is a bit different compared to what we’ve seen in the past. Necurs is one of the largest botnets in the world and was observed boosting many malware campaigns in the past, including a few involving Dridex. Forcepoint notes that some of the compromised domains containing the malware have been used in previous Necurs campaign while the infected document downloaders were similar to what we’ve come to expect from the botnet.
Having said all that, there is a bit of conflicting information here as well. Necurs is known as being capable of sending millions of emails in just a matter of hours, but the most recent Dridex campaign seems to only involve about 9,500 phishing emails. The fact that the hackers are now using FTP is also a bit strange given their usual modus operandi, however, that could just be a technique of throwing off security experts or perhaps this is simply a more effective method of spreading the malware.
Just a few days ago, Necurs was part of a different malware campaign and this one took place on a larger scale as it involved millions of spam emails, which as mentioned, is what the botnet is generally known for. Interestingly, this was the botnet’s first campaign that involved cryptocurrency. The emails were reportedly being sent as a means of pushing a rather obscure digital currency known as Swisscoin. The campaign started around January 15th and was probably meant to raise the price of Swisscoin. While it did have some effect according to the most recent charts, the growth was ultimately negligible as 1 Swisscoin continues to sit at well under $1.